Due to the nature of the operations allowed through the Management API you should treat tokens issued to it with care, more specifically, it’s not recommended to store them in association with user data or even disclose them to end-users as that increase the chances of leakage.

If you want to provide an administration client application so that certain highly privileged users can perform management tasks associated with your account the recommended approach would be:

Expose the administrative actions through your client application with the proper authorization checks.

A user would only be allowed to trigger the action if it had the necessary permissions/roles.

From the server-side component that handles the previously authorized requests obtain the tokens with the minimum scopes required to perform the management actions through a client credentials grant.

Call the management API with the token to perform the action.

The above approach is a rough description of what should happen; the important parts are that tokens are obtained and used only by server-side components (less chances of them leaking) and access to the endpoints that perform management API actions must have proper authorization checks to ensure that the user in question has the necessary permissions to perform such action.

Ok, thank you for your answer. I understand that I can create a admin-client and give scopes to that but I dont want to create a client for each role.

What about this? I have a client where I log in and recieve a token for user. The token contains roles/permissions for that user. I make a call to my backend/api with that token. I then check the permission based on the route.